Re: Policy URL -> Policy URI
Rick van Rein <rick@openfortress.nl> Tue, 08 February 2005 09:41 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA19879 for <openpgp-archive@lists.ietf.org>; Tue, 8 Feb 2005 04:41:05 -0500 (EST)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j189ONox011492; Tue, 8 Feb 2005 01:24:23 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j189ONIY011491; Tue, 8 Feb 2005 01:24:23 -0800 (PST)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from smtp17.wxs.nl (smtp17.wxs.nl [195.121.6.13]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j189OMSX011411 for <ietf-openpgp@imc.org>; Tue, 8 Feb 2005 01:24:22 -0800 (PST) (envelope-from rick@openfortress.nl)
Received: from phantom.vanrein.org (ip545163dc.direct-adsl.nl [84.81.99.220]) by smtp17.wxs.nl (iPlanet Messaging Server 5.2 Patch 2 (built Jul 14 2004)) with ESMTP id <0IBL004K364A83@smtp17.wxs.nl> for ietf-openpgp@imc.org; Tue, 08 Feb 2005 10:24:10 +0100 (CET)
Received: by phantom.vanrein.org (Postfix, from userid 502) id 4284D2A64A; Tue, 08 Feb 2005 10:24:10 +0100 (CET)
Date: Tue, 08 Feb 2005 10:24:10 +0100
From: Rick van Rein <rick@openfortress.nl>
Subject: Re: Policy URL -> Policy URI
In-reply-to: <3c14e78650fa58b06576b2e617409837@callas.org>
To: Jon Callas <jon@callas.org>
Cc: Rick van Rein <rick@openfortress.nl>, ietf-openpgp@imc.org
Message-id: <20050208092410.GC33720@phantom.vanrein.org>
MIME-version: 1.0
Content-type: text/plain; charset="us-ascii"
Content-transfer-encoding: 7bit
Content-disposition: inline
User-Agent: Mutt/1.4.2.1i
X-My-Coolest-Hack: http://rick.vanrein.org/linux/badram -> Exploit broken RAM
References: <20050207105021.GA17950@phantom.vanrein.org> <3c14e78650fa58b06576b2e617409837@callas.org>
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Jon, others, > Okay, I see what you're saying, but is it necessary? I think it is. 1. I think PGP is providing too little certainty about the meaning of a signature with its current four-grade signing setup. At least, it is not suitable for commercial use, which would be great to support. A suitable policy mechanism can help in that case. 2. It is not smart to fall behind on other signing flexibility; PGP already lacks the appeal to decision-makers that PKIX and even XML Signing have; any URN-based policy initiative could therefore easily forget to incorporate PGP and render it useless for that kind of application. 3. There are always work-arounds. For example, the kind of schemes suggested under 2. could declare a website to do the translation from URN to URL for the sake of PGP. Aside from that being awkward, it would be a challenge to the longevity of the spec and may for that reason be left out. We don't want that to happen. > A long time ago, the keyserver URL said URI and we changed it for > reasons that I can't remember. I think it's because we didn't think it > was necessary, that if it happened to be a URI, the worst that could > happen would be that someone wouldn't understand it, but that's always > a risk. Indeed, the *keyserver* should not be referenced by name -- if you cannot determine the location of a server what is it going to be good for? For policies, I think we have a whole different matter at hand -- references to books, an ISSN-series of widely acknowledged signing policies and ASN.1 OIDs are all good ways to point at a policy. Moreover, they are supportive of Internet-wide schemes, which is rarely the case if a URL is used. Imagine that I would start pushing PGP-signers to follow http://openfortress.nl/doc/some-policy.pdf How would that make you feel? It would mean some company set it up. A company with full control over the URL. Other companies are going to be too proud or too smart to use the same signing policy *location*. Even if they literally copy the content, the average signature validator would not notice because the strings differ. In short, URLs are bad for interoperable policies. A URN-scheme on the other hand, can serve quite well for Internet-wide, non-proprietary published policies. It can enforce the secure hash of a document, which can only be weakly suggested in a URL. That would take care of the pride issue. Furthermore, URNs can support rewriting to equivalent forms, which would be helpful for supportive software to find more matches than a simple string match can be. > If you happened to put in the policy URL an ISBN number, wouldn't it be > obvious what it meant? Wouldn't it work just fine? There are always work-arounds, but why invite them? There are no disadvantages to changing to a Policy URI. > I don't mind changing it, but is this just a difference without > distinction? The change is vital in my opinion. Thanks, -Rick -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) Comment: To understand digital signatures visit http://openfortress.nl iD8DBQFCCIUsFBGpwol1RgYRAm41AJ4p8RN6BJ88+BW+gI7vkbodv6BH7ACeP2Wq GL8TuglRzRNGvW2/PyeDH2Y= =axg7 -----END PGP SIGNATURE-----
- Policy URL -> Policy URI Rick van Rein
- Re: Policy URL -> Policy URI Jon Callas
- Re: Policy URL -> Policy URI Rick van Rein
- Re: Policy URL -> Policy URI Rick van Rein
- Re: Policy URL -> Policy URI Florian Weimer
- Re: Policy URL -> Policy URI David Shaw
- Re: Policy URL -> Policy URI Rick van Rein
- Re: Policy URL -> Policy URI Florian Weimer
- Re: Policy URL -> Policy URI David Shaw
- Re: Policy URL -> Policy URI Rick van Rein